153809 – samba and clamav on access scanning multiple configuration issues

Bug 153809 - samba and clamav on access scanning multiple configuration issues

Summary: samba and clamav on access scanning multiple configuration issues

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	High normal (vote)
Assignee:	Gentoo's SAMBA Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-11-02 06:08 UTC by Davide Andrea
Modified:	2007-09-12 21:25 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Davide Andrea 2006-11-02 06:08:28 UTC

This regards samba-3.0.22-r3 and clamav-0.88.5 on amd64, don't know about other versions.
I got them to work fine togheter on a new server, but ONLY after some counter-intuitive tweaks of config files, and despite gentoo guides (gentoo Samba3/CUPS/ClamAV HOWTO).
This is what i think should be fixed to make them work togheter out of the box.

Note: for on access scanning you should AT LEAST emerge with the following use flags.
samba: acl async oav pam readline
clamav: crypt mailwrapper

1) After emerging clamav, the oav config file is not present. I had to manually copy /etc/samba/vscan-oav.conf to /etc/samba/vscan/vscan-clamav.conf and tweak it.

2) Samba can't connect to clamd because default socket is different from the one specified into /etc/clamd.conf. I had to add the following line into the vscan-clamav.conf file:
clamd socket name = /var/run/clamav/clamd.sock
and comment the following (just to be sure to not have conflict issues):
; oav ip = 127.0.0.1
; oav port = 8127

3) Clamav scanner NEEDS to be run as root: either suid it, either (that's what i did) change the following line into the main config file /etc/clamd.conf:
User clamav
to
User root

4) /etc/samba/smb.conf : the right line to add (and the only one needed) to make things work, is:
vfs objects = vscan-clamav
You can add it either to GLOBAL section (if you want every share scanned), or into single share section.
you don't need (as written into guides) the following line:
vscan-clamav: config file = etc...
Samba ignores that line - logs show unsupported feature.

5) Even if run as root, something avoids to quarantine files (if enabled) if quarantine folder doesn't have wrx settings for Others. So i suggest to give full access permission to quarantine folder but to not share it.

I have to point out that i have kinda of paranoic restrictions, because of server running on a public ip, but they shouldn't be related except of the root issue.

Note: somebody points out that dazuko is needed to enable on access scanning (bug 99992). I don't think so... ;-)

Have a nice day.

Comment 1 Tiziano Müller (RETIRED) gentoo-dev

2007-09-12 21:25:34 UTC

Since there's no new version for oav for samba-3.0.25 and the samba developer
refuse to stabilize the api to be able to install oav without the complete
samba-tree, the oav-patch has been dropped for samba-3.0.25 and is not
supported anymore, sorry.